PCI’s Money Making Cash Cow Not So Good for the Industry

Thursday, June 07, 2012

Andrew Weidenhamer


PCI’s Money Making Cash Cow, ISA Program, Not So Good for the Industry

The level of scrutiny the PCI DSS has been subject to the last couple of years has been bad enough to further accentuate it with the advent of the ISA program.

I have written about the pros and cons of the ISA program before, but now that it is really starting to take off the cons strongly outweigh the pros.

First and foremost, the false sense of confidence the ISA program is giving individuals is insanely bad for the industry. Like any other industry certification, the ISA test isn’t difficult (Yes, CISSP and CISA I’m calling you out here).

I’ve seen individuals with very little information security experience pass this test and as a side effect, *think* they know everything there is to know about the PCI DSS.

As a result, two things occur. First, the ISA actually believes they have the right to now bully their QSA when it comes to scoping, sampling, documentation, etc. The issue is, unless you have actually been a QSA and have performed multiple assessments for different sized organizations across different industries, you don’t have the experience to bully anyone.

This is the equivalent of Jeremy Lin trying to bully Kobe Bryant. As an experienced QSA, we just prefer you to take notes and learn during the assessment time frame as knowledge transfer is going to be the most valuable to you.

Secondly, just because you have ISA appended to the end of your name does not make you a security expert. This is no different than having a CISSP or QSA appended to the back of your name.  I don’t consider myself super religious, but I do find myself frequently asking God to stiffen the requirements on industry certifications.

Not only will this provide needed assurance of the qualifications of the person you are talking too, but it will start to provide some serious value of having the CISSP, as it once did. This will in turn provide C Level executives the trust they need in our guidance and how we are spending budgetary dollars within the organization.

Hell, it may even allow for us to get more than 5% of IT’s annual budget each year for Information Security related items (hey….I can be an optimist).

Finally, I have yet to talk to an ISA that has not been influenced by company politics. When I actually have to argue with an ISA about a black and white requirement such as whether or not call recordings with cardholder data is in-scope or not, it tells me one of two things: A) either the ISA is being influenced by company politics to keep call recordings and the associated environment out-of-scope or B) the ISA does not understand the requirements well enough to actually have a coherent argument.

Most times it the former of the two and in all actuality, it’s probably a combination. This is scary considering the ISA, in some cases, can actually perform the Report-on-Compliance for the organization without the help of an experienced QSA. What regulation other than maybe EU Safe Harbor certification allows an organization to self-attest to a compliance mandate? That, as the kids are calling it now days, is Cray Cray (aka. Crazy).

In conclusion, I am not saying the ISA program doesn’t have its place. This blog is also not an attack on ISAs around the world. I am all for educating individuals on the PCI DSS. In fact, who knows, maybe someday I will also be an ISA. All I’m saying is that if you are an ISA, unless you have actually performed assessments before, please do not automatically assume you know what you are talking about.

Humble yourself and learn from those of us that actually have been in this line of work for a very long time. Also, adhere to your auditing code-of-ethics and don’t get caught up in someone else’s political agenda.

Remember the intent of your job. In case you have forgotten, let me remind you, is to ensure your organization is meeting the intent of the PCI DSS and ultimately protecting cardholder data. 

- Andrew (@aweidenhamer)

Possibly Related Articles:
Information Security
Certification PCI DSS Compliance QSA PCI SSC Assessments ISA Information Security
Post Rating I Like this!
Gene Willacker Wow! That was a pretty scathing indictment, Andrew. You must have encountered some real jerks.

I am an ISA and when I do presentations that include descriptions of the ISA program I say that an ISA can question the findings of the QSA. I think questioning and debating are not the same thing, and they should never devolve to the point of bullying.

I'm an ISA because my job requires it. And I'm an ISA because I have made it a point to study the PCI DSS for years, in order to implement it in previous jobs. And I'm also an ISA because I had an opportunity to work with an experienced QSA and learned so much from that experience that I wished I had a job like that. I take the code of ethics seriously. If I question our QSA it's because I read the testing procedures, I read the "Navigating..." document, double-checked the Glossary and I still see things differently from him. We work it out.

I'm sorry that you have had such negative experiences with ISAs. We're not all like that.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.